DNS leak
-
@emammadov said in DNS leak:
If I remove them, I will lose internet connectivity.
You should fix that first.
pfSense uses the resolver, unbound. It has a build in list with the 13 main root servers.
It's like the DNS request chain is set up statically.
You have to set up an IP, and a gateway for WAN nothing more.pfSense uses the default DHCP client for obtaining a WAN IP and gateway - it discards any DNS servers, if the upstream DHCP servers supplies them. This could be your up stream router, or an ISP router at the other end of the city.
@emammadov said in DNS leak:
Is this a bug?
What bug ?
An incomplete (?) setup of a VPN connection is a bug in the brain of the admin.
I admit being curious about you waiting to obtain a new release of ... yourself ???? I know, nightly builds exists, but still .... please explain.Example :
Resolver settings :
With this setting I gave unbound the possibility to use any (all) interface to connect to available DNS servers. It's knows that all these are on the outside (not local) thus it will choose de default route, or WAN in my case.
I should consider selecting OPENVPN as an outgoing interface, to force all DNS requests to take the VPN path.Also :
System > Routing > Gateways : select the VPN type interface, not your WAN type interface.( examples are NOT exhaustive - variants exists )
-
@emammadov Which version of pfsense are you running? I have the same issue with 2.4.5-RELEASE-p1 release. I had a working and tested setup of pfsense 2.4.4 (the last install that I remember). No config change after that, the only thing that I changed was the periodic updates. And today I noticed that the clients on the VPN subnet are leaking DNS. I have no way to revert to the earlier release to reproduce but looks like this is specific to 2.4.5-RELEASE-p1 as I tried various other recommended settings with no luck.
-
2.4.5-p1 of course.
Early versions shouldn't be used, mainly for security reasons.Unbound, as a resolver, use whatever interface (outgoing) it can get it hands on, to obtain DNS answers.
This is normally the WAN interface. If you add another WAN type interface, like a connection to remote VPN server, then that will be another WAN interface.
Unbound should be restarted if such a VPN interface comes up. This happens typically later on during the boot process.
Firewall rues should enforce the behaviour that looks like this :
Use the classic WAN if it's the only one available.
Use a VPN WAN if that one is available.Btw : take note : I only did some minor VPN experiences using pfSense as a VPN-client, using a (paid) remote VPN server. As such, never tried to understand what 'DNS leaks' means.
See (all !) the official VPN videos from Netgate on their Youtube channel.
-
There isn't a known issue in 2.4.5 that would present like that.
How exactly do you have the clients configured?Unfortunately there are a great number of people out there who have no idea what DNS leak tests actually do. That means the signal to noise ratio for reports like this is low inducing skepticism!
Steve
-
@stephenw10 said in DNS leak:
Unfortunately there are a great number if people out there who have no idea what DNS leak tests actually do. That means the signal to noise ratio for reports like this low inducing skepticism!
I found the config issue on my side. Sorry for the Spam.
-
You'll have to try a lot harder to get classified as spam.
There's a lot of misinformation out there.
-
This post is deleted! -
@PowerSing funny how both of the two posts you have ever made are about the FUD a "friend" has told you about pfsense.
@stephenw10 can we get this account banned for being a troll?
-
We can certainly keep a close eye out!
I agree that is just FUD.
-
He is putting up names from linked in with another key word to boost their SEO rating.. Banned and posts deleted.
-
@emammadov DNS leaks can happen because of your configuration, ISP and bugs.
- Disconnected cable of your ISP on your Pfsense device.
- Go to System > General Setup >Â DNS server setting > DNS server > Enter 2 IP addresses from Quad9 DNS: 9.9.9.9 and 149.112.112.112 > Unchecked DNS Server Override > Save.
- Go to Services > DNS Resolver :Â
√ Checked Enable DNS resolver boxÂ
Network Interfaces - ALL
Outgoing Network Interfaces - ALL
√Checked Enable Forwarding Mode box
√Checked Use SSL/TSL for outgoing
√Checked DHCP Registration
√ Checked Static DHCP
Save. - Reboot Pfsense, Diagnostics > Reboot and reconnect your ISP cable.

Hope this helps.
-
So 'leaking' all of your queries to quad9 as opposed to resolving it yourself?
It really depends what you're trying to achieve. If that's hiding DNS queries from your ISP that would do it. If the test is checking if clients are sending DNS over a VPN that would show as all leaked.
Steve
-
I feel really guilty for reviving this 3 months old thread.
-
@stephenw10 said in DNS leak:
So 'leaking' all of your queries to quad9 as opposed to resolving it yourself?
It really depends what you're trying to achieve. If that's hiding DNS queries from your ISP that would do it. If the test is checking if clients are sending DNS over a VPN that would show as all leaked.
Steve
But Steve, it is still not quite right. A DNS leak is still a leak, that means ISP can still see visited hosts.
Pfsense configurations need some tweaking. For those who use VPN provider with DNS leaks please follow these steps:-
Go to Firewall > Wan > add new rule:
Action: Block
Interface: Wan
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: Any
Destination: Any Port Range Custom: 53
Save -
Go to Firewall > Lan and/or Opt1 tab
Action: Pass
Interface: Lan and/or Opt1
Address Family: IPv4
Protocol: UDP
Source: Lan net or Opt1 net
Destination: any Port Range Custom: 53
#Click button# Display Advance
Gateway: Choose your VPN Interface
Save -
Go to Services > DHCP server > Lan and/or Opt1>Servers>DNS server (Quad9 DNS):
9.9. 9.9
149.112. 112.112
2620:fe::fe
2620:fe::fe:9
Save
Reboot your Pfsense and test it again for DNS leak https://ipleak.net

Hope this helps. -
-
That site does not respond for me. Which I'm finding quite ironic!
Any DNS leak test simply shows you where your clients queries are being resolved. You have to device for yourself if those are correct.
There is no reason to have a block rule for DNS on WAN. All inbound traffic is blocked on WAN by default anyway.
Steve
-
@stephenw10 said in DNS leak:
That site does not respond for me. Which I'm finding quite ironic!
Any DNS leak test simply shows you where your clients queries are being resolved. You have to device for yourself if those are correct.
There is no reason to have a block rule for DNS on WAN. All inbound traffic is blocked on WAN by default anyway.
Steve
Good morning Steve, theoretically the default configs is blocked on Wan, but for some odd reason Pfsense responds differently with different hardware ;)
Also the second rule (pass 53), you need to assign to all interfaces (opt1,opt2,..) and place it above all others rules.Then test again for DNS leak https://ipleak.net
-
@AKEGEC : your second rule : include TCP.
Your first rule : WAN is blocking everything, even for these devices :
but for some odd reason Pfsense responds differently with different hardware
so the default block all rule will do it's job. If for some "odd reasons" devices could penetrate the firewall I recommend changing the firewall and/or the person that admin's it.